• United States



by Senior Editor

2009 Rewind: 3 Tales of FUD

Dec 17, 20094 mins
Application SecurityComplianceCybercrime

CSO Senior Editor Bill Brenner chooses his three nominees for 2009's worst case of messaging based on fear, not fact.

As we wrap up another year of security vendors ringing the alarm bell about every conceivable threat and the media willingly playing along, it’s time to reflect on stories that got lots of attention but didn’t necessarily do much to move security in a better direction.

Here are three such tales of fear, uncertainty and death (FUD) that were certainly problematic, but not enough to blast us from existence:

1. The Black Screen of Death Windows security updates were sparking mass “black screen” lock-outs. Here’s how Gregg Keizer, my colleague from across the aisle at Computerworld, described the debacle in his story:

Just a couple weeks ago, a British security vendor named Prevx stirred up all kinds of angst by announcing that recent

“The brouhaha began when Prevx said the Windows security updates issued in November changed Access Control List (ACL) entries in the registry, preventing some installed software from running properly. The result, said Prevx, was a black screen, sometimes dubbed the “black screen of death” — a reference to the “blue screen of death” that Windows puts up after a major system crash. Microsoft said it was investigating the reports, but by Tuesday it was denying that its updates caused black screens. Moreover, said Microsoft, its technical support teams were not fielding any appreciable number of customer calls on the issue. Microsoft turned up the heat on Prevx yesterday in other ways, as well. Roger Halbheer, Microsoft’s chief security advisor for the company’s European, Middle Eastern and African operations, argued that the black screen news was causing customers to delay deploying Windows security updates.”

After Microsoft pushed back, Prevx came out with this bizarre blog posting that attempted an apology, though it was just as mired in “we-really-didn’t-say-this” speak:

“As you will see, at no time have we categorically stated that these patches are the cause of the Black Screen problem. We shared our initial findings around the two patches with Microsoft, conducted further tests and have confirmed that these specific updates are not the root cause. Regrettably, it is clear that our original blog post has been taken out of context and may have caused an inconvenience for Microsoft. This was never our intention and we have already apologized to Microsoft. Microsoft is a valued partner and our fix was developed to ensure its customers were able to quickly resolve the Black Screen issue without having to reinstall Windows as some users indicated.”

2. Cyber-Katrina much-hyped White House cybersecurity coordinator job — pushed the overdrive button this year in Congressional testimony and at more than one security conference by throwing around the term “Cyber-Katrina” to describe the nation’s lack of preparedness in readying for a potentially devastating cyberattack.

Paul Kurtz — a long-time homeland security expert who served on the transition team of then President-Elect Obama and whose name had been bandied about for the

We’ve been hearing about this in recent years under the tasteless title of a “Cyber Pearl Harbor.” Not that the concept is all that far-fetched. Ira Winkler, long a critic of the whole idea, even wrote a recent column suggesting we may indeed see such calamity because of the emerging smart grid (see I was Wrong: There Probably Will Be an Electronic Pearl Harbor).

The problem with such talk is that it takes the average CSO’s eyes off the ball. So much time is spent worrying about Armageddon that not enough attention is paid to the smaller attacks that undermine our cyber infrastructure — namely those launched by evil seeds who would rather keep the machinery running so they can quietly use it to break into company databases, steal sensitive data and make money. Just as there’s no crying in baseball, there’s no money in cyber destruction. The second point here is that there is only so much individual IT security practitioners can do to stop Armageddon if it’s really going to happen. But the smaller threats are something they CAN do something about. In the process of focusing more on the little things, the larger backbone of the Internet may well be strengthened.

3. Patch Tuesday Panic FUD-laced descriptions as an “administrative nightmare.”

Sure, Microsoft’s October Patch Tuesday update was the largest ever. But Jason Miller, security and data team manager for patch management vendor Shavlik Technologies, helped nobody by throwing around such

I’m instantly skeptical when claims like these are made because just about every IT shop I’ve visited in nearly six years of covering security show me patching procedures that are pretty smooth and consistent, no matter how heavy the patch load.